Day 21 - AWS Policy and Governance

For Day 21 of my AWS Terraform learning journey, I worked on a mini project focused on AWS policy creation and governance setup. The goal was to build a small but practical governance foundation using Terraform, IAM policies, AWS Config, S3 security controls, and compliance rules.

This project helped me understand how cloud governance is not just about creating resources. It is about continuously checking whether those resources follow security and compliance expectations.

Project Goal

The main goal of this project was to create a governance setup that can monitor AWS resources and detect misconfigurations.

I implemented the following:

IAM policies for security enforcement
AWS Config recorder for continuous monitoring
AWS Config delivery channel to store snapshots in S3
Seven AWS Config managed rules
Secure S3 bucket for Config data
Account password policy
Required tagging checks
Public access and encryption controls

This is a good example of using infrastructure as code for governance.

Architecture


This diagram should show IAM policies, AWS Config recorder, Config delivery channel, S3 bucket for configuration snapshots, AWS Config rules, and compliance monitoring.

In this setup, IAM policies enforce preventive controls, while AWS Config provides detective controls. The S3 bucket stores configuration snapshots and compliance history. AWS Config rules evaluate whether resources follow required standards.

Terraform Project Structure

The project was organized into separate Terraform files:

provider.tf contains the AWS provider and Terraform backend configuration.
variables.tf contains input variables.
locals.tf contains common tags.
main.tf creates the secure S3 bucket for AWS Config.
iam.tf creates IAM roles, policies, demo user, and password policy.
config.tf creates the AWS Config recorder, delivery channel, and rules.
outputs.tf prints useful values and test commands.

This structure keeps the project easier to read and maintain.

IAM Policies Implemented

I created three custom IAM policies.

The first policy denies S3 object deletion unless MFA is present. This is useful for protecting important objects from accidental or unauthorized deletion.

The second policy denies S3 access over insecure transport. This means S3 access must use HTTPS instead of plain HTTP.

The third policy enforces required tags during resource creation. In this project, I used Environment and Owner as required tags. Tagging is important for ownership, cost tracking, automation, and governance.

This screenshot should show the custom IAM policies created by Terraform.

AWS Config Setup

AWS Config was the main governance service in this project. I created an AWS Config IAM role, configuration recorder, delivery channel, and rules.

The configuration recorder tracks supported AWS resources. The delivery channel sends configuration snapshots to an encrypted and versioned S3 bucket.


This screenshot should prove that the AWS Config recorder is enabled and recording.


This screenshot should show the S3 bucket used by AWS Config to store snapshots.

AWS Config Rules

I configured seven AWS managed Config rules:

S3 public write prohibited
S3 server side encryption enabled
S3 public read prohibited
EBS volumes encrypted
Required tags
IAM password policy
Root account MFA enabled

These rules check common security and governance requirements.

This screenshot should show all seven rules created by Terraform.

This screenshot should show whether each rule is compliant, non compliant, or still collecting data.

Some rules may show INSUFFICIENT_DATA immediately after deployment. That is expected because AWS Config may need a few minutes to evaluate resources.

S3 Security Controls

The S3 bucket used for AWS Config snapshots was secured with multiple controls.

Versioning was enabled to preserve history.
Server side encryption was enabled using AES256.
Public access was blocked.
A bucket policy denied insecure transport.
AWS Config was allowed to write snapshots to the bucket.

This screenshot should show that default encryption is enabled.

This screenshot should show that all public access block settings are enabled.

This screenshot should show that versioning is enabled on the bucket.

Testing

Test 1: Create EC2 Without Required Tags

Create EC2 manually without tags

aws ec2 run-instances \
  --image-id ami-0c02fb55956c7d316 \
  --instance-type t2.micro \
  --region us-east-1
Do not provide Tags, wait for several minutes and then check compliance again. 

Test 2: Make S3 Bucket Public



What I Learned

This project made governance more practical for me. IAM policies and AWS Config work together, but they solve different problems.

IAM policies are preventive controls. They stop users or services from doing something that violates the policy.

AWS Config rules are detective controls. They continuously check the environment and report whether resources are compliant.

This is similar to database security. IAM policies are like database roles and privileges. AWS Config is like an audit process that checks whether the database configuration still follows standards.

Cleanup

After testing, I destroyed the resources using:

terraform destroy

Since this project uses AWS Config, cleanup is important to avoid unnecessary charges.

Final Thoughts

Day 21 was a useful project because governance is a real cloud engineering responsibility. It is not enough to create infrastructure. The infrastructure must be secure, tagged, monitored, and continuously evaluated.

This project gave me hands on practice with IAM policies, AWS Config, compliance rules, S3 security, and Terraform based governance.

Video Reference


Jay

Comments

Post a Comment

Popular posts from this blog

ASM Integrity check failed with PRCT-1225 and PRCT-1011 errors while creating database using DBCA on Exadata 3 node RAC

Image
  Error: The error message PRCT-1225: failed to verify Oracle Automatic Storage Management (Oracle ASM) user credentials using the command 'asmcmd credverify' indicates that the asmcmd credverify command failed to verify the Oracle ASM user credentials. This can happen for a number of reasons, including: The user credentials are incorrect. The user credentials file is corrupted. The user does not have the necessary permissions to run the asmcmd credverify command. There is a problem with the Oracle ASM instance. To troubleshoot this error, you can try the following: Make sure that the user credentials are correct. You can do this by trying to log in to the Oracle ASM instance using the same credentials. Check the user credentials file for errors. You can do this by using a text editor to open the file and inspect the contents. Make sure that the user has the necessary permissions to run the asmcmd credverify command. You can do this by checking the user's permissi...
Read more

Life is beautiful

Image
Life brings unexpected tragedies that are beyond our control. It's heartbreaking to witness people facing circumstances they never chose. We react with tears and inevitably wonder, "What if that happens to me?" As humans, we naturally focus on the positive and avoid dwelling on such thoughts—and that's healthy. But this perspective has shaped how I approach life: Am I prepared for these scenarios? Are my loved ones protected if something goes wrong? If I were to die, I couldn't be there to tell them to stay strong—they'd have to face that grief alone. But I can give them financial security through proper planning, wills, and trusts. These are tangible ways to care for them even when I'm gone. Beyond that, what else can I control? I don't waste energy worrying about an uncertain past or future. Instead, I choose to spread peace, truly listen to others, and share genuine smiles. I embrace the principle of living fully while letting others do the same. ...
Read more

Lock Tables in MariaDB

Whether or not you need to lock tables while backing up MariaDB depends on a few factors, including the type of backup you are performing and the tools you are using. If you are performing a full backup , you should lock the tables to ensure that the backup is consistent. This is because a full backup copies all of the data in the database, including any data that is currently being modified by transactions. If you do not lock the tables, it is possible that the backup could contain inconsistent data. If you are performing a differential backup or an incremental backup , you may not need to lock the tables. Differential and incremental backups only copy the data that has changed since the previous backup. This means that the data is already consistent, so there is no need to lock the tables. However, some backup tools may require you to lock the tables, even if you are performing a differential or incremental backup. This is because these tools may need to modify the database in some ...
Read more